January 17, 2012
How risky? The elements of an effective payments risk management program
Financial institutions manage a range of businesses with distinct risk management needs. Banks of all sizes that offer payment services to retail and commercial clients must appropriately identify and manage the myriad dimensions of risk entailed. The Retail Payments Risk Forum recently spoke with Tony DaSilva, a senior bank examiner at the Federal Reserve Bank of Atlanta. The conversation, captured in a podcast and highlighted in this post, covered the elements of a successful payments risk management program. Formerly a banker, DaSilva is able to take the perspective both of the supervisor and of the supervised institution when it comes to understanding the challenges of managing retail payments risk.
He said that in financial institutions today, "payments risk management is sometimes informal or decentralized." Without a comprehensive risk assessment, said DaSilva, these institutions have a heightened vulnerability to risks they do not understand. As a result, they may incur losses, lawsuits, or even regulatory formal actions.
Often, the scope and rigor of the bank's risk management program is not commensurate with the bank's risk profile. He added that the loose oversight combines with a variety of other factors to undercut a bank's risk management capabilities. A major driver in adding new payment services may be anxiety for fee income in an environment where many sources of payments revenue have been pressured.
Other factors include incomplete due diligence or inadequate "know-your-customer" (KYC) programs, or the institution may have insufficient payment expertise, senior leadership involvement, or employee and management training. DaSilva has seen institutions that do not perform adequate risk assessments or due diligence when deploying new payment products or services, for example, or when engaging in third-party service-provider relationships.
Implementing a strong risk management program
DaSilva explained that there are multiple types of risk in the payments business that institutions must consider. These types include "credit risk, compliance risk, transaction risk, fraud risk, and legal and reputational risk." Responding to all these requires establishing a risk management program with the following elements:
- Planning. Having clear, defined objectives, a well-developed business strategy, clear risk payments parameters, and a role within the financial institution's strategic plan.
- Risk identification and assessment. Senior management knowledge and understanding of their institution's risks is critical. The risk assessment should be incorporated into the bank's overall risk management process, which will vary by institution.
- Mitigation. Establish policies and procedures to mitigate identified risks. These policies should consist of clearly defined responsibilities and strong internal controls over transactions. Mitigation is also achieved through a good risk-based audit program, and well-designed contracts and agreements.
- Measurement and monitoring. Periodic reporting should enable the board and senior management to determine that payments activities remain within the bank's established risk parameters.
The role of bank leadership in risk management
DaSilva repeatedly emphasized that it is critical for bank board and senior management to be actively involved with and knowledgeable about their institution's payments risk management. For an institution to be able to gauge senior management knowledge, he suggested it begin by exploring whether management "understands the inherent product risks, the compliance requirements, the ability to monitor, the operations management and operational risks, [as well as] their reputational [and] legal risk."
DaSilva encouraged leveraging subject matter experts and ensuring that the retail payments strategy matches the bank's overall strategy and competencies. The best policy may be to limit product offerings to those for which management and employees have a full understanding of the accompanying risks. Despite the pressure to develop new sources of revenue, financial institutions should carefully evaluate the risks of any new payment product before adding it to their portfolio.
To end on a positive note, DaSilva has seen some institutions improving in all the right areas. They are assessing and mitigating risk across multiple payment channels, products, and delivery systems, including ACH, remote deposit capture, card products, and wire transfer. And for icing on the risk management cake, some do annual reviews of client accounts that include exposure from all payment, deposit, and loan products.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
January 17, 2012 in banks and banking, payments risk, risk management | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168e5b2e06d970c
Listed below are links to blogs that reference How risky? The elements of an effective payments risk management program:
Comments
November 21, 2011
Remote deposit capture: If you expand it, will fraud come?
It has been nearly two years since Portals and Rails focused on remote deposit capture (RDC). In just this short period, the RDC market has grown significantly and changed rapidly. This growth and change has led to approximately 13 percent of checks being deposited as images at the bank of first deposit, according to the 2010 Federal Reserve Payments Study. In addition, financial institutions and banks, which initially offered RDC capabilities primarily to their commercial customers, are now broadening these services to include their retail customers. Even the hardware used for RDC is evolving from desktop scanners to mobile phones. Despite this growth and evolution, RDC fraud has been minimal, much as my colleague, Cindy Merritt, discussed in an April 2009 post.
According to a new Celent report, the commercial RDC market is nearing maturity, with an estimated 75 percent of U.S. banks and 50 percent of U.S. financial institutions offering at least one RDC service. Given this mature commercial market, any future growth of RDC services should be expected via retail consumers. This growth will come from the adoption of retail RDC services by banks and financial institutions as well as the expansion of the service into new payment products—most notably, prepaid cards. As RDC usage expands to more retail consumers and additional payment products, we have to wonder if fraud associated with it will rise or continue to be held under control.
Current risk assessment
According to the 2011 Payments Fraud and Control Survey from the Association of Financial Professionals, only 1 percent of surveyed organizations responded that someone had used their electronic check conversion service to commit fraud. This figure is unchanged from the 2009 survey.
A similar assessment of RDC fraud recently emerged from the Financial Crimes Enforcement Network (FinCEN). FinCEN analysts identified 1,017 Suspicious Activity Report (SAR) filings related to RDC that banks and credit unions filed between January 1, 2005, and July 31, 2011. More than half of these reports were filed after the start of 2010. These 1,017 RDC-related SARs account for only about 0.1 percent of all bank-filed, check-fraud-related SARs. FinCEN found no real differences between the RDC channel and more traditional check depositing channels when it came to fraud schemes (for example, check kiting and counterfeit or altered checks).
Will the low level of fraud be sustainable as the service grows?
To date, banks and other financial institutions have successfully managed risks for commercial RDC services. Whether by restricting the use of the service to only its most vetted commercial clients or limiting the value of allowable remote deposits, banks have implemented risk controls to effectively minimize their risk and fraud exposure associated with RDC.
Banks and financial institutions are now beginning to cast the RDC net into their retail channels. Ally Bank offers its retail customers RDC through the traditional scanner and computer model, while USAA, J.P. Morgan Chase, PNC Bank, and U.S. Bank all now offer mobile RDC for retail consumers. Bank of America is targeting a second-quarter 2012 launch for its retail mobile RDC service. With banks and financial institutions expanding this service to a retail customer base that often undergoes less stringent due diligence than do their commercial customers, is the potential for fraud increasing?
The general-purpose reloadable (GPR) prepaid card market offers a significant growth opportunity for mobile RDC. With this service, GPR prepaid cardholders—many of whom are unbanked—would be able to load funds directly onto their prepaid cards without having to walk into a store, in the same way the service now allows banking customers to deposit checks into their direct deposit accounts.
According to a recent paybefore.com article, several third-party service providers have the risk-management software to enable mobile RDC for the prepaid industry. Interestingly, these third-party software providers will accept the risk of the mobile RDC transactions, taking the responsibility from the prepaid program manager or issuer. However, the inherent dearth of information about GRP prepaid users compared to retail and, especially, commercial banking customers makes RDC services more vulnerable to fraud with this group. In fact, prepaid card users may be unbanked because they have a poor, or no, credit history or they lack appropriate identification and credentials to open a banking account.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
November 21, 2011 in banks and banking, financial services, mobile banking | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c015437308f63970c
Listed below are links to blogs that reference Remote deposit capture: If you expand it, will fraud come?:
Comments
October 11, 2011
High-impact events in a warming world: Business continuity planning for retail payments
Which will be the first to reopen after a major disaster: your financial institution or the local Waffle House? In some cases, you may be able to order your hash browns smothered, covered, peppered, and chunked before electricity is restored to your usual ATM. The breakfast chain invested heavily in crisis management planning following Hurricane Katrina, and today is recognized as one of the most responsive American companies to disasters. Whether the move was more about building goodwill and trust among customers or about profitability, the underlying operational risk management principles Waffle House employed apply equally to financial institutions and third-party payment processors.
Appropriate operational risk management for any organization includes business continuity planning for even unlikely disasters. In fact, this year's extreme weather highlights the need to prepare for even low-probability but high-impact events. In February, unprecedented snowfall blanketed Chicago. Record numbers of tornadoes ravaged the Southeast this April. Floodwaters swelled the Mississippi River to a new high in May. Just last month, historic flooding menaced the Northeast. Such disastrous weather leads not only to evacuations, grounded flights, and missed school days, but also could affect the ability of banks to maintain retail payment systems. Tellers may not be able to make it into branches to accept deposits and process withdrawals. Flooding can damage ATMs and the cash and checks they contain. Tornadoes may wreck back office processing centers or knock out the electricity and network connectivity critical for clearing and settling transactions on time.
Evidence indicates that global warming is causing an increase in extreme weather. Apart from being frightening, greater volatility in the weather requires a different approach to business continuity risk assessments. And this instability makes it difficult or impossible to determine the actual likelihood of a disruption. As part of a lessons-learned debriefing from Hurricane Katrina, the Federal Financial Institutions Examination Council emphasized that preparing for just this kind of disaster is critical. The agency's advice is to focus on potential outcome, not probability, in assessing business continuity plans:
The impact rather than the source of the threat should guide the development of disaster recovery and business continuity plans.... However, every threat that could pose a high adverse impact generally warrants further consideration regardless of its probability of occurrence.
The Bank for International Settlements has recognized the importance of business continuity planning for the financial services industry, so in 2006, it came out with seven high-level principles that can serve to direct financial institution and payment processor risk management efforts. These principles underline the importance of explicitly considering and preparing for major disruptions and acknowledge that such disruptions are occurring with increasing frequency. They also advise clear and regular communication with affected parties internal and external to the affected business, and note that ultimate responsibility for operational risk rests with senior management and the board of directors of the organization. Once implemented, plans should also be periodically tested and refined as necessary.
In a world that isn't always predictable, strong business continuity plans hinge on making sure businesses are ready for the unexpected. The mission-critical nature of retail payments should challenge financial institutions to be at least as prepared as the local diner.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
October 11, 2011 in banks and banking, financial services, payments systems, risk management | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e8c2dacc2970d
Listed below are links to blogs that reference High-impact events in a warming world: Business continuity planning for retail payments:
Comments
May 02, 2011
The check's in the mail, but it might be fraudulent
Amid the constant hubbub of emerging fraud schemes, research shows us that criminals are rational consumers of the nth degree. They instinctively move to the path of least resistance. While the exciting and glamorous fraud topics today involve wire fraud, account takeovers, ID theft, and skimming, the results of the Association for Financial Professionals' (AFP) annual corporate fraud survey remind us that the most fraud vulnerable instrument available today is the paper check. Why? Because check fraud is a decidedly low-tech practice whose ingredients include a bit of thievery, a good copying machine, and possibly, but not necessarily, some magnetic ink.
Corporate experiences with check fraud
The AFP's study tabulated survey results from around 400 public, private, nonprofit, and government organizations across a wide range of sizes. Over 70 percent of the respondents reported that they had been the victim of fraud in 2010. Of those, 93 percent reported fraud involving checks, compared to 25 percent with ACH debit fraud and 23 percent with consumer card fraud. Moreover, of the fraudulent methods used, checks also experienced the highest rate of increase, with 30 percent of organizations reporting an increase in check fraud. And check fraud accounted for 53 percent of the reporting organizations’ financial losses. Interestingly, while actual fraud losses were deemed to be modest in total dollar terms, 84 percent of the respondents had made efforts to protect themselves against check fraud by implementing positive pay controls on their corporate accounts; 53 percent had implemented payee positive pay.
Bank experiences with check fraud
The corporate responses synchronized well with the results of the American Bankers Association's (ABA) last deposit account fraud survey in 2009. At that time, 80 percent of respondent banks reported check fraud losses totaling over $1 billion, which is 23 percent higher than losses experienced with debit/ATM cards. Interestingly, there seems to be little evidence in the ABA report or elsewhere to indicate that check fraud stems from abuse of new technology. At the outset of the implementation of the Check 21 legislation, many industry pundits forecasted that losses would climb as a result of widespread implementation of remote deposit capture (RDC) technology, but it appears such has not been the case. In fact, several large banks, emboldened by the experiences of pioneers such as USAA, have even extended remote capture into the homes of their depositors who are armed with the latest in RDC technology—the smart phone.
Yet, there are growing concerns within the industry that the "gild may be off the lily," as the bad guys learn more about the opportunities. A friend and Sunday school classmate of mine who works for a large national bank reported to me that they had been beset over the past few weeks with an interesting scheme involving new account fraud and checks. Individuals have been opening new accounts and obtaining a debit/ATM card at the outset. After making a modest deposit of good funds to open the account, the new customer then used their ATM card to deposit several counterfeit checks at ATM locations. Per the bank’s policy, some or all funds were made available to the customer immediately (depending on the dollar amount of the check). The customer took advantage of that fact, withdrew the maximum amount possible the next day, before the return deadlines, and then walked away (well, one actually complained because not all funds were made available, but that’s another story, involving criminal indignation).
The unit cost of fraud and fee revenue deliberations
The upshot of all this is that there is a lesson to be learned. Just because we see checks as a diminishing-use instrument doesn't mean we should let our guard down whether we are a consumer, a corporation, or a bank. In tough economic times, a billion-dollar loss to the banking industry is still an expensive ticket. Having just wrapped up the Federal Reserve's 2010 Retail Payments Study, I was interested in exploring fraud from a slightly different angle by looking at the average fraud per check written in the United States. While not all industry surveys align perfectly with respect to samples, time frames, response levels, and so forth, they are close enough to produce some interesting observations. Further, such a calculation might help us understand what the actual "fraud tax" is on checks as banks consider future check service fee issues.
The 2009 ABA study estimated that 760,955 cases of check fraud took place in the 2008 reporting year, with actual losses estimated at $1.024 billion. Compare these numbers to 561,306 cases and $969 million in the 2006 study and 616,469 cases and $677 million in the 2003 study. The concurrent Fed payments studies in 2004, 2007, and 2010 estimated the number of checks written in the United States at 37.6, 33.1, and 27.8 billion, respectively. Doing the math reveals that the per-item cost of fraud losses has gone from $.018 to $.029 to $.036 (unadjusted for inflation). Said differently, the unit cost of fraud for every check written has doubled in six years to 3.6 cents per item even as aggregate check volume has fallen by 26 percent. By the way, this figure represents the costs of fraud losses, not the total cost of fraud management for the check world.
In summary, while the industry debates the issue of the cost of fraud management in the Durbin debit card interchange regulation, perhaps similar scrutiny should be applied to the cost of fraud management in the check world as check volume diminishes. Somewhere out there is an opportunity to adopt an overall fraud management fee strategy as yet another arrow in the quiver of strategically leading customers to payments choices that make sense for the bottom line of a bank.
By Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum
May 2, 2011 in banks and banking, check fraud, checks | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e88345071970d
Listed below are links to blogs that reference The check's in the mail, but it might be fraudulent:
Comments
April 04, 2011
Atlanta and Boston Fed position paper promotes U.S. adoption of mobile payments
As we've mentioned a few times in this blog, mobile payment developments in the United States lag the initiatives undertaken in Asian and African countries. Last week, the payments research teams at the Boston and Atlanta Federal Reserve Banks published a position paper on how the United States should promote the adoption of mobile payments. The paper, "Mobile payments in the United States: Mapping out the road ahead," represents collective views from 15 months of discussions with various representatives of the mobile payments ecosystem, a group that over the course of 2010 came to be known and the Mobile Payments Industry Workgroup (MPIW). The paper lays out the strategic vision for the future and outlines the foundational principles of an efficient and secure mobile payments system.
Convening the MPIW
The Fed brought this group together for several reasons, which we described in an earlier post. We wanted to understand how the key industry stakeholders in this conjoined industry of banks and telecom firms were working together. We hoped to engender a cross-industry dialogue to perhaps develop a mutual understanding between these two groups of the industry direction and consider a noncompetitive strategy to address barriers to industry adoption. The summary of this meeting was published on both the Atlanta and Boston Fed websites to ensure transparency to the industry.
The key takeaway from the meeting was that there is a lot to do to bring the various players together in the United States, where our payment systems are considerably more advanced and suitable for most consumer needs. The group agreed to meet on a quarterly basis to discuss issues of mutual interest, such as how the various participants viewed the drivers and barriers to adoption and how the business models were shaping up, as well as the industry roles and responsibilities. Of course, the group was interested in getting clarity in regulatory and legal oversight for new telecom-enabled financial services.
The group shared ideas and opinions throughout the course of the year. Oftentimes, group members disagreed on specific points. Even on some points of agreement that are outlined in the final paper, in some instances there is still no clear consensus yet on how to move the ball forward. At the very least, the paper represents issues of consensus and those where the industry must collaborate to achieve agreement.
The MPIW foundational principles for successful mobile payments in the United States
The group recognized that the past year has been marked with activity in the form of numerous trials and product rollouts—but without a vision for success shared among all the parties. Ideally, for mobile payments to take off, all participants should have common goals and still be able to flourish in the mobile ecosystem. Standards are necessary for a ubiquitous mobile commerce environment but at the same time, firms need to have the flexibility to differentiate their service offerings and add value to their shareholders. In acknowledging the need for a common environment, the group agreed on a set of foundational principles that represent the business requirements for success, which are described below.
- Most important to the group is the concept of an open mobile wallet that carries broad payment and merchant options for consumer choice and is based on a platform that would enable a wide range of payment methods and networks.
- Near-field-communication contactless technology must be embedded in the handset and support all payment methods and networks, and must comply with business rules and standards for existing payment methods.
- The industry needs to establish a ubiquitous platform for mobile that not only uses existing clearing and settlement channels and rails, such as credit, debit, ACH, prepaid, and carrier billing, but also supports innovative efforts to create new rails.
- The technology supporting the new mobile handset must enable dynamic data authentication to ensure long-term integrity and security.
- The industry must have a global interoperable platform for standards and certification of payment methods for the mobile wallet and all its resident applications —leveraging existing standards when possible.
- The industry needs regulatory clarity to avoid gaps in oversight and ensure robust consumer protections.
- The group acknowledged the importance of the trusted service manager role to manage security and other account management functions.
The goal of the paper is, ultimately, to broadly circulate the ideas and discussions from the MPIW so we can ignite industry leaders to foster further collaborative work. As the paper notes, "[C]learly, there are many more (interested) parties who will need to support the ideas set forth in this document." Further, there are clear benefits to establishing a coordinating entity and forums to continue to build the roadmap for the future.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
April 4, 2011 in banks and banking, mobile payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e605b3800970c
Listed below are links to blogs that reference Atlanta and Boston Fed position paper promotes U.S. adoption of mobile payments:
Comments
January 31, 2011
Payments Spotlight podcast: The evolving threat of corporate account takeovers as seen through a bank's lens
Play podcast (MP3 7:23)
Transcript
Last July, we spoke with Jane Larimer, executive vice president of ACH network administration and general counsel for NACHA, about fraud in the ACH network via corporate account takeovers. In the latest interview in our Payments Spotlight podcast series, we revisit the issue of corporate account takeovers—this time, from a bank's point of view. Tina Giorgio, senior vice president of operations for Sandy Spring Bank in Columbia, Md., and a member of the Atlanta Fed's Retail Payments Risk Forum's Advisory Group, offered some helpful tips for financial institutions on how to best deter corporate account takeover attacks. The podcast is one that financial institutions would benefit from hearing and one worth sharing with their corporate customers.
Addressing corporate account takeover threats
NACHA's Risk Management Advisory Group (RMAG) published a newsletter in April 2010 detailing how criminals target institutions and what institutions can do to prevent an attack. Tina told us that the RMAG has been actively engaged in addressing corporate account takeovers since they emerged in 2007.
Additionally, Tina said that NACHA's board of directors released a policy statement in October 2010 stressing the importance of implementing sound business practices to mitigate the risk of corporate account takeovers in the ACH network. The RMAG, Tina tells us, is currently working on developing resources to assist businesses and banks alike in assessing, establishing, and strengthening sound business practices.
Taking the first step in the fight against corporate account takeovers
The banking system has been combating large-scale phishing attacks for some time now. In recent years, we've seen more frequent reports of global cybercriminals' successfully stealing the credentials of bank customers through numerous low-value transactions or one-time, large-scale attacks against corporate bank accounts.
Tina said that from a bank's perspective, the first step in detecting and protecting against corporate account takeovers requires diligent risk management from the institution and its corporate customer. Educating business customers about sound and safe business practices is critical; essential educational components include the importance of daily account reconciliation and deployment of up-to-date security patches.
Using the bank's existing tool kit
Cybercriminals use sophisticated commercial online banking malware to attack computers that store sensitive banking credentials. Some of these malicious software programs are reportedly undetectable and capable of defeating multi-factor authentication systems. Tina said she believes that some of the best tools at a bank's disposal for combating these malwares include employing out-of-band authentication and alerts, as well as maintaining the payment file initiation under dual control. She also said that banks may also already have in place some low-tech tools to help prevent these takeovers—exposure limits, origination calendars, and prenotifications all provide added security layers.
Ultimately, Tina said, banks and their corporate customers must remain vigilant in protecting against corporate account takeovers. Otherwise, their risk for these takeovers increases exponentially, and it is each of their responsibilities to act safely and defend against these types of cyberattacks. Fraudsters' attacks will continue to become more sophisticated, but adopting these tips and measures can best prepare banks and its corporate consumers to defend against cyber attacks.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
January 31, 2011 in account takeovers, ACH, banks and banking, cybercrime, data security, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0148c823e9d8970c
Listed below are links to blogs that reference Payments Spotlight podcast: The evolving threat of corporate account takeovers as seen through a bank's lens:
Comments
January 24, 2011
The future role of financial institutions in the domestic P2P environment
Although the use of online banking and online bill payment has flourished over the past decade, banks have yet to capitalize on the opportunity of the thriving online and mobile domestic person-to-person (P2P) transaction market. Online banking use more than doubled from 20 percent of households in 2000 to 53 percent in 2009, according to a December 2009 Javelin Strategy report (Multi-Channel Account-to-Account Transfers and P2P Payments Forecast: Evaluating Trends and Assessing the Future 2006–2014). Further, online bill payment usage has grown from 5 percent of households to 36 percent during the same time period. However, the traditional bank P2P methods of check, cash, and wire transfer continue to decline while online and mobile domestic transfers are expected to grow at a 9 percent compound annual growth rate, according to the Javelin Strategy report. As banks face continued downward pressure on revenues and intense competition from both new and existing players, the online and mobile P2P market represents a threat to banks' traditional check business. However, it also represents a potential opportunity for banks to offer a distinct service to their customers.
The expanding domestic P2P market
A 2009 TowerGroup report (Noncash P2P Payments: Checks in Decline Still Rule the Roost) estimates the U.S. noncash domestic transfer market at $1.1 trillion, composed of more than three billion transactions. Checks remain the dominant P2P means of settlement. However, the availability of the Internet to households, impressive growth of smartphones, exponential increases in consumer mobile data usage, and numerous mobile applications (especially for the iPhone) are creating a healthy environment for the growing online and mobile domestic transfer market in the United States. The Javelin Strategy report suggests nearly 44 percent of the 86 million online households made at least one online P2P transfer, up from 27 percent in 2008.
|
|
|
|
The online and mobile P2P market has been dominated by PayPal to date. However, payment processors, electronic card networks, and new emerging payment service providers have launched competing products over the last several years. PayPal and other service providers, such as CashEdge, Fiserv, FIS, and MasterCard, have each created products designed to integrate into banks' existing online and mobile channels. Although these products can be integrated into banking channels and the transactions are more convenient for consumers than a traditional bank wire or check transaction, the transaction is far from seamless. In order to use the online and mobile P2P products that banks currently offer, consumers must register not only with their bank but also with the bank's P2P service provider partner, which often requires them to submit their personal and banking account information. Adding further complications, completing the transaction may require the receiver of the payment, or the receiver’s bank, to have a relationship with the P2P provider that the payer uses.
Tapping the ACH network?
While it appears that the migration from paper checks to electronic forms of payment in the consumer-to-business market is crossing over to the P2P market, banks still have many hurdles to clear before they can capitalize on the P2P opportunity as online and mobile P2P payments become widespread. The P2P providers offer banks a solution that allows for quicker settlement than either checks or wire transfers, but the solution is still far from consumer-friendly. In order to provide banking consumers a friendlier P2P online and mobile service, banks could consider the development of a P2P solution that leverages the extensive ACH network in a manner similar to a person-to-business transaction. Much like mobile banking or bill payment, consumers could opt into the P2P service and transfer or receive funds between any banking institution on the ACH network without having to register with and provide confidential data to a third-party P2P service provider to access the service.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 24, 2011 in ACH, banks and banking, P2P | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0147e1ebdaa1970b
Listed below are links to blogs that reference The future role of financial institutions in the domestic P2P environment:
Comments
January 10, 2011
Nonbanks and payments innovation: Because that's where the money is
In the past decade, nonbank companies have driven most payments innovations. For the most part, banks have left Silicon Valley startups and other third-party players to develop cool new payments gadgets and platforms that attract venture capital and YouTube views. While this dynamic and free market has allowed for great creativity, it has also meant that many of these new payments tools emerged outside the extensive system of regulations and consumer protections that exist in the banking industry.
This blog previously covered the lack of uniform regulation of the money services business (MSBs), a significant gap given the expansion of financial services offered by MSBs like Western Union and MoneyGram in recent years. While providing a vital service for money transfer, MSBs may be vulnerable to money laundering and fraud schemes, as they lack the robust regulatory oversight that governs mainstream financial institutions. Through a series of industry partnerships, MSBs and other less-regulated nonbank payment companies are integrating with bank operations. For example, CashEdge, a relatively new alternative payment service provider, and MoneyGram recently announced one such partnership that could have implications for anti-fraud efforts.
Last year, MoneyGram paid $18 million in a Federal Trade Commission (FTC) settlement that charged the company had known about fraud on their system but did not work to address it, disregarding law enforcement warnings and willfully ignoring customer fraud complaints against agents. Consumers reported $84 million in losses between 2004 and 2008, but it is likely that many victims did not come forward, and the FTC claims that losses may actually have run into the hundreds of millions of dollars. Since the settlement, MoneyGram has invested heavily in anti-fraud measures, including enhanced agent training, improved communication with consumers, and greater partnership with law enforcement and the FTC. In response to questions from the Connecticut Watchdog, MoneyGram explained that these efforts have prevented $30 million in fraud this year and resulted in a 75 percent decrease in fraudulent transactions between the United States and Canada.
However, con artists continue to exploit Americans, evidenced by the recent Make-A-Wish scam. This scam has already defrauded victims of $20 million, with the thieves again using Western Union and MoneyGram to receive payments. Although these companies provide a valuable service to those sending money abroad to family and others, they are still vulnerable to threats from bad actors.
In light of this vulnerability, MoneyGram's announcement this past fall of a partnership with CashEdge to integrate with their POPmoney service bears scrutiny. POPmoney is a bank-initiated peer-to-peer payments service that went live late in 2009 and allows users to send friends and family money through text, e-mail, or online banking. The product has been very popular, with more than 100 banks adopting the service within six months of launch. The new partnership means that POPmoney users will be able to transfer money not just to other bank accounts, but also to any MoneyGram location around the world. These POPmoney-to-MoneyGram transactions will likely be fast and irreversible, using CashEdge’s convenience and MoneyGram's global presence. Furthermore, users will initiate all transactions via online or mobile banking, funding them directly from their primary bank account. Although MoneyGram launched enhanced anti-fraud technology last year for scanning risky transactions, these online transfers would bypass live agents whose training is one line of defense against fraud.
Although there may be considerable risks in integrating MSBs directly to a financial institution's online banking services, doing so could also be an opportunity to fight fraud in these channels. If banks' extensive experience in fraud detection and mitigation were applied to the money transfer business, it could significantly improve consumer safety and experience. If there are lessons to be learned here, they could be applied to a variety of similar partnerships across the industry, improving banks' access to innovation and enhancing the risk management capabilities of new payments products.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
January 10, 2011 in banks and banking, innovation, money services business (MSB), risk management | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0148c77bdedc970c
Listed below are links to blogs that reference Nonbanks and payments innovation: Because that's where the money is:
Comments
May 24, 2010
Bank revenues and fraud detection: A marriage made in heaven?
Recently, a number of instances of account takeovers—or "man in the middle" attacks—have been labeled as ACH or wire transfer fraud because the subsequent fraudulent transactions flowed over the ACH or wire transfer networks. Such schemes frequently involve an interloper using the Internet to hack into a company's payroll system and create fraudulent transactions before the payroll file arrives at the company's originating bank. At first blush, it seems off base to attribute this type of fraud to the payments channel when the channel merely carried already fraudulent payments on to their intended destinations. Once these payments enter the clearing channel, banks and ACH/wire operators do not appear to have any easy way to identify them as fraudulent transactions.
The growing responsibility of banks to help their customers
Clearly, American businesses are in the eye of the storm when it comes to current account takeover attacks, so it's easy, if not appropriate, to attribute the fraud to absent or lax controls over their corporate databases. Needless to say, the smaller the business, the less likely that their knowledge, business model, or budgets include funding for fighting Internet-based fraud attacks. With this idea in mind, a judge recently ruled that such a company's bank was at least partially responsible for a corporate fraud loss because the bank had failed to assist the company by providing reasonable fraud control tools or services.
Such claims stem from a requirement stated in Article 4A of the Uniform Commercial Code (UCC) that makes banks responsible for using "commercially reasonable" security techniques to protect the data assets of the customer and bank. The term commercially reasonable does not have a specific definition but historically has been defined as the use of techniques significantly deployed by other similar industry service providers. Since there is no evidence that many banks provide ACH origination fraud detection services to their corporate customers, the historical test doesn't seem to have held sway in this case. Instead, it appears the judge used a different test for commercial reasonableness by indicating that there are technologies and tools available in the marketplace today, albeit not in wide use in banking, which the bank could have employed to assist the company. As we speak, and in a separate matter, a Texas bank is suing its business customer, claiming that at all times the bank maintained commercially reasonable security measures. The outcome of this action remains to be seen.
The potential for fee-based fraud detection services
Transferring the issue to the ACH payments front, perhaps it would be possible for banks to provide businesses with enhanced account takeover fraud control tools. For example, banks could offer the equivalent of positive pay in the check world for outbound ACH credit entries. That is, the company could update bank resident databases with their eligible payroll (or the bank could retain recent files), and the bank could validate the information on newly deposited payroll files to ensure that a significant amount of new account numbers have not been introduced since the last payroll. Other services could include looking for significant variations in the number or dollar amount of transactions or requiring that companies assert dual controls on all payroll deposits before the payments enter the ACH processing stream at the originating financial institution.
Such services might seem expensive to implement since they would entail the writing or acquisition of new front-end software. However, the provision of such runtime services to client companies could be a revenue opportunity for a fee-starved banking industry whose current fee revenue streams (overdrafts, interchange, credit card interest rates) are under attack on all fronts. Further, such grassroots corporate payments services could better address fraud at the inception point rather than the after-the-fact central monitoring of unauthorized returns by NACHA or the ACH operators. In fact, the ACH operators offer front-end fee-based risk monitoring services to their financial institution customers today, demonstrating the possible value of banks extending the concept to their corporate clients. Finally, one can conceive of the evolution of a suite of such services to include services that could detect potential insider fraud, a growing trend in a recessionary economy.
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum
May 24, 2010 in account takeovers, banks and banking, malware, wire transfer fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0133ee5157af970b
Listed below are links to blogs that reference Bank revenues and fraud detection: A marriage made in heaven?:
Comments
Posted by:
richard oliver |
May 24, 2010 at 02:13 PM
The detection options listed should be added but it will take time to implement them uniformly which would seem mandatory for larger clients that want the same standards across their institutions. Many of the online banking applications already have several measures available that are not used by banks that have them deployed. The security/convenience trade off decisions that banks make vary by an almost unbelievable degree.
It is my understanding that several U.S. regulatory bodies (including the Federal Reserve?) have begun discussing new security requirements for large payment transactions initiated online. Challenging each transaction initiation or every sensitive act (e.g. adding a new payee) would prevent most of the fraud seen during the last couple of years. If the challenge was conducted via another channel or out-of-band (a phone call) it would be even more effective.
Until forced, via judicial ruling or legislative action, it seems unlikely that banks will uniformly protect small business customers via any method.
Posted by:
Rob |
May 24, 2010 at 01:49 PM
December 14, 2009
Consumer preference for opt-in guides Fed rule on overdraft protection
A recent report by the Center for Responsible Lending found that more than 50 million Americans overdrew their checking account at least once over a 12-month period, with 27 million accountholders incurring five or more overdrafts of nonsufficient funds (NSF) fees. The costs to consumers for overdrafts are significant, with many instances of fees exceeding the amount withdrawn. ATM and one-time debit card transactions have been a key driver behind the growth in the volume and cost of overdraft fees. Point-of-sale/debit overdraft transactions accounted for 41 percent of surveyed institutions' NSF transactions, according to an FDIC study. These POS/debit NSF transactions had a median dollar value of $20, while the median overdraft charge assessed by banks was $27.
|
ENLARGE |
To address high overdraft costs, last month the Federal Reserve Board issued a final rule amending Regulation E, which will provide greater consumer protection by limiting the fees financial institutions can charge consumers for paying overdrafts on ATM and most debit card transactions.
The new rule essentially eliminates a common practice by financial institutions of automatically enrolling consumers in overdraft services. In fact, the aforementioned FDIC study found that 75 percent of banks automatically enrolled customers in automated overdraft programs. Starting on July 1, 2010, financial institutions will have to provide a notice explaining its overdraft service and fees for ATM and one-time debit card transactions before the consumer can accept it. The rule includes a model form that institutions may use to satisfy the notice requirement.
Public comments and consumer testing help inform final revisions
The Board's final revisions to Regulation E were informed by comments received on its January 2009 Regulation E proposal and results of consumer testing. The Board received more than 20,700 comment letters (including 16,000 form letters) on its January 2009 proposal, the majority of which were submitted by individual consumers. In addition, the Board engaged a consultant to conduct consumer testing on a model disclosure notice that would effectively communicate information to consumers about how their overdrafts would be handled by the bank, what fees they could be potentially charged, and what choices they had related to overdrafts.
Consumer advocates, members of Congress, federal and state regulators, and the overwhelming majority of individual consumers who commented favored the opt-in provision because they felt that the harm to consumers from overdraft fees outweighed the benefits from permitting the payment of ATM and debit card overdrafts. In contrast, the majority of industry commenters contended that the opt-out approach was better because it provided consumers with the benefits of overdraft services with fewer disruptions to the consumer and bank operations.
In the end the Board determined that an opt-in approach to permitting overdrafts was the best decision for consumers. This decision was based partly on the Board's consumer testing, which indicated that consumers prefer to have transactions declined than incur fees for overdrafts.
Certain types of transactions not covered by the rule
Other types of transactions are not covered by the rule, including withdrawal by check, ACH, and recurring debit. The Board determined that with respect to checks, the payment of overdrafts may be preferable to having the check returned for NSF and paying the return fees charged by the bank and merchant. In addition, participants in the Board’s consumer testing generally indicated that they were more likely to pay important bills using checks, ACH, and recurring debits. Debit cards were primarily used on a one-time basis for discretionary purchases.
Opting in is not requirement for other services
Consumers who do not accept an institution's overdraft service cannot be treated differently than those who opt in. For example, institutions are prohibited from declining payment of overdrafts of other types of transactions (e.g., checks and ACH) because the consumer did not opt in to that institution's overdraft service for ATM and one-time debit card transactions. The institutions are also required to provide those customers with the same account terms, conditions, and features that they provide to consumers who do elect to take the service.
Overdraft fee income for banks and credit unions rose 35 percent in the last two years. Although not a panacea, the Board's overdraft rules provide greater protection for consumers in navigating their personal finances. Ultimately, an informed consumer is the best consumer protection.
By Jennifer Grier, senior payments risk analyst at the Atlanta Fed
December 14, 2009 in banks and banking | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a74436f6970b
Listed below are links to blogs that reference Consumer preference for opt-in guides Fed rule on overdraft protection:
Rob, excellent observations with which I agree in part. However, the concept I was pushing here is that banks can leverage the growing awareness of commercial fraud into fee revenue product opportunities to make a part of their business client's offering.